An Internet fraud (online scam) is the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them; for example, by stealing personal information, which can even lead to identity theft. A very common form of Internet fraud is the distribution of rogue security software. Internet services can be used to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme. Research suggests that online scams can happen through social engineering[1] and social influence. It can occur in chat rooms, social media, email, message boards, or on websites.[2]

Purchase fraud occurs when a criminal approaches a merchant and proposes a business transaction, and then uses fraudulent means such as a stolen or fake credit card to pay for it. Thus, the merchant do not get paid for the sale. Merchants who accept credit cards may receive a chargeback for the transaction and in the process, lose money. The most common fraud takes place using credit cards. This is when the account numbers and PIN numbers are obtained when a transaction is done. The fraudster (s) use this information to withdraw money from unsuspected individual. During this transaction people may steal this buyer's identity and act as him and request payment to an offshore account with an excuse that is not verified to be true and an excuse to steal the said credit card.

According to the FBI, on April 26, 2005 Tom Zeller Jr. wrote an article in The New York Times[3] regarding a surge in the quantity and quality of the forging of U.S. postal money orders, and its use to commit online fraud. Small Internet retailers, classified advertisers and individuals contacted by defrauders online are victims of this fraudulent activity.[citation needed]

In the United States of America, the penalty for making or using counterfeit postal money orders is up to ten years in jail and/or a $25,000 fine.[4]

A fraudster posts a nonexistent vehicle for sale to a website, typically a luxury or sports car, advertised for well below its market value. The details of the vehicle, including photos and description, are typically lifted from sites such as Craigslist, AutoTrader.com, Cars.com and PakWheels.com. An interested buyer, hopeful for a bargain, emails the fraudster, who responds saying the car is still available but is located overseas. Or, the scammer will say that he is out of the country but the car is with a shipping company. The scam artist then instructs the victim to send a deposit or full payment via wire transfer to initiate the "shipping" process. To make the transaction seem more legitimate, the fraudster will ask the buyer to send money to a fake agent of a third party that claims to provide purchase protection. The unwitting victims wire the funds, and subsequently discover they have been scammed. In response, auto sales websites often post warnings to buyers, for example, those on Craigslist which warn not to accept offers in which vehicles are shipped, where funds are paid using Western Union or wire, etcetera, requesting those postings to be flagged as abuse.[5]

In another type of fraud, a fraudster contacts someone who has posted a vehicle for sale online, asking for the vehicle identification number (VIN) in order to check the accident record of the vehicle. However, the crook actually uses the VIN to make fake documentation for a stolen car, in order to sell it.

A fraudster may pose as a buyer whom will pay by PayPal, send a check or money order, wire transfer and tell the buyer he will have a shipping/trucking company haul the car away. In which they will cancel the check or insufficient funds on account and seller will be scammed of a vehicle. Fraudsters will also pose as buyers and direct seller to click on a link or go to a website to enter vehicle information or post more pictures which can hack their computer, download a virus, or hope the seller has a geotag on their picture in order to steal the vehicle.

Vehicles can also be used as part of a counterfeit cashier's check scam.

Whilst the vast majority of websites in Japan are of genuine business companies, it is also a fact that online scams and fraud are alive, well, and very big business in Japan. It is very important for foreign importers to verify each company and not send money until fully satisfactied. Verification of each Japanese company under the "Japan Company Trust Organization" can also be helpful.

Landlords placing advertisements on Craigslist or rent.com receive an e-mail response from a prospective renter from a foreign country, typically a student fresh out of secondary education (high school in the U.S.). The first inquiry seems legitimate. The second usually comes with request for more information and an attachment from a fake company set up by the scam artist indicating that the "student" has won a part-time scholarship from the company. (The fraudster will often set up a fake website for the company, in order to make the attachment seem legitimate.) The scam comes with the third e-mail: a request for the victim's name and address so that the "company" can send a cashier's check to cover the rent and the "student's" travel costs. The check amount is always more than you asked for as a collateral for reserving the place for that person.

The victim is instructed to cash the check and also transfer the money to the fraudster account. Or, the prospective tenant may request you to make the flat ready to move in and arrange transport from the airport. However, s/he will have to cancel the trip for some unavoidable reason and will ask you to keep one month's rent as compensation and send her the rest through Western Union. The check is always in the name of a company. In the United States, banks consider cashier's checks to be "guaranteed funds" and will typically cash them instantly. However, unlike a certified check,[citation needed] the bank that cashes a cashier's check can still take back the money from the depositor if the check is counterfeit or "bounces". Because of the lag between the cashing and clearing of the check, the victim does not realize that they have been had until their account is debited for the amount they wired to the fraudster, plus any fees for the bounced check.

In this variation, a fraudster feigns interest in a vehicle for sale on the Internet. The "buyer" explains that he represents a client who is interested in the car, but due to an earlier sale that fell through, he has a cashier's check made out for thousands more than the asking price. The scammer requests that the victim cash the check and refund the balance via wire transfer. If the seller agrees to the transaction, the fraudstser sends the counterfeit cashier's check via express courier (typically from Nigeria). The victim takes the check to their bank, which makes the funds available immediately. Thinking the bank has cleared the check, the seller follows through on the transaction by wiring the balance to the buyer. Days later, the check bounces, and the victim is responsible for the amount they wired to the fraudster, plus any fees associated with the bounced check.

Defrauders negotiate large purchases with the victim (e.g. ordering $50,000 to $200,000 worth of goods) agreeing to an advance payment via bank wire transfer. After ordering, the fraudster claims that paying via wire transfer is impractical, and instead sends a counterfeit cheque drawn on the account of a real, uninvolved organization as an alternate payment. After the cheque clears, the victim company ships the goods. When the uninvolved organization notices the fraudulent transaction against their account, they request a chargeback, resulting in the victim losing both the money and the goods.

In some cases, thieves learn the address of a merchant's bank, and send counterfeit cheques directly to the bank. They then claim a direct deposit was made after the cheque is deposited by bank staff, hoping the victim will only notice the apparently available funds, and not the fact that it was a cheque deposit that the bank has not yet fully cleared.

In other cases, defrauders negotiate smaller transactions (e.g. ordering $456,000 to $10,000 worth of goods) with fraudulent cheques written for more than the purchase amount, and instruct the merchant to refund "excess" amounts via Western Union money transfer to an account in another country.

In African re-shipping scams, fraudsters recruit victims from Western countries via chat rooms and dating websites, developing long-distance relationships with their victims to obtain personal details. After the victim accepts a marriage proposal from the scammer, items are bought online using credit card information stolen from other people and shipped to victims without their knowledge. The fraudster then claims the goods were sent to the wrong address, and asks the victim to apply pre-printed labels to the packages and re-ship them to fraudsters' real address. Once the victim re-ships the goods, the fraudster ceases all communication with the victim. Victims often discover that the shipping account for the pre-printed labels is in their name when the freight company bills them for the shipping costs.

The Eastern European re-shipping scam is a variant of the Nigerian version in which fraudsters recruit victims through classified advertising by presenting themselves as a growing European company trying to establish a presence in the United States.

The fraudsters explain that they will buy goods in the United States that need to be re-shipped to a final destination in Europe. The thieves then ship fraudulently purchased goods to the victims, and the victims re-ship goods to the fraudsters. Sometimes, if the fraudsters send pre-printed shipping labels to the victims, they also include a counterfeit check as payment for the re-shipper's services. By the time the check bounces, the goods have already been re-shipped and the fraudsters stop all communication with their victims.

The Chinese re-shipping scam is a variant of the Eastern European version, in which fraudsters recruit victims through spam. The fraudsters present themselves as a growing Chinese company trying to establish a presence in the United States or Europe.

In the Australian re-shipping scam, a company in the United States is contacted by a potential customer, stating they would like to place an order with the company. Once the company responds, verifying that the desired products are in stock, the fraudster will then ask for a shipping quotation to Australia, and explain that they will be paying via credit card.

Once the victim company sends the quotation to the fraudster, they reply that they will have their U.S. agent or freight representative come to the company's location and pick up the merchandise, and the agent will ship the goods to the "customer". The fraudster then asks the company to add a plausible additional charge of US$700 to US$1,500 onto the total cost, and pay that amount to the "agent" when they arrive to collect the goods. The scammer also offers additional compensation to the company, for the extra trouble of paying their agent. The offered reasons for this arrangement might be "the freight company only accepts cash", or "the agent is unable to process credit cards". If the victim company responds that this is not possible, the fraudster will cut off communication.

In an online auction scheme, a fraudster starts an auction on a site such as eBay or TradeMe with very low prices and no reserve price, especially for typically high priced items like watches, computers, or high value collectibles. The fraudster accepts payment from the auction winner, but either never delivers the promised goods, or delivers an item that is less valuable than the one offered—for example, a counterfeit, refurbished, or used item. According to data from law enforcement and consumer protection organizations, fraudulent schemes appearing on online auction websites are among the most frequently reported form of mass-marketing fraud.[6]

Online retail schemes involve complete online stores that appear to be legitimate. As with the auction scheme, when a victim places an order through such a site, their funds are taken but no goods are sent, or inferior goods are sent.

In some cases, the stores or auctioneers were once legitimate, but eventually stopped shipping goods after accepting customer payments.

Sometimes fraudsters will use phishing techniques to hijack a legitimate member accounts on an online auction site—typically an account with a strongly positive online reputation—and use it to set up a phony online store. In this case, the fraudster collects the money, while ruining the reputation of the conned eBay member. When victims complain that they have not received their goods, the legitimate account holder receives the blame.

A more subtle variation of online auction fraud occurs when a seller ships an item to an incorrect address that is within the buyer's ZIP code using the United States Postal Service's Delivery Confirmation service. This service does not require the recipient to sign for the package, but offers confirmation that the Postal Service delivered the package within the specified ZIP code. The item shipped is usually an empty envelope with no return address and no recipient name, just a street address different from that of the victim. The delivery of the envelope with the Delivery Confirmation barcode attached suffices for the Postal Service to record the delivery as confirmed. The fraudster can then claim the package has been delivered, and offer the Delivery Confirmation receipt as proof to support the claim.

In a collection in person PayPal scheme, the scammer targets eBay auctions that allow the purchaser to personally collect the item from the seller, rather than having the item shipped, and where the seller accepts PayPal as a means of payment.

The fraudster uses a fake address with a post office box when making their bids, as PayPal will allow such an unconfirmed address. Such transactions are not covered by PayPal's seller protection policy. The fraudster buys the item, pays for it via PayPal, and then collects the item from the victim. The fraudster then challenges the sale, claiming a refund from PayPal and stating that they did not receive the item. PayPal's policy is that it will reverse a purchase transaction unless the seller can provide a shipment tracking number as proof of delivery; PayPal will not accept video evidence, a signed document, or any form of proof other than a tracking number as valid proof of delivery.[citation needed]This form of fraud can be avoided by only accepting cash from buyers who wish to collect goods in person.

In a call tag scam, criminals use stolen credit card information to purchase goods online for shipment to the legitimate cardholder. When the item is shipped, the criminal receives tracking information via email. They then call the cardholder and falsely identify themselves as the merchant that shipped the goods, saying that the product was mistakenly shipped and asking permission to pick it up when it is delivered. The criminal then arranges the pickup, using a "call tag" with a different shipping company. The victim usually doesn't notice that a second shipping company is picking up the product, and the shipping company has no knowledge it is participating in a fraud scheme.

The cardholder may later notice the charge on his statement and protest the charge, generating a chargeback to the unsuspecting merchant.

Con artists often use the Internet to advertise supposed business opportunities that allow individuals to earn thousands of dollars a month in "work-at-home" ventures. These schemes typically require the individuals to pay nominal to substantial sums for the "business plans" or other materials. The fraudsters then fail to deliver the promised materials, provide inadequate information to make a viable business, or provide information readily available for free or a substantially lower cost elsewhere.

In one such scheme, after paying a registration fee the victim will be sent advice on how to place ads, similar to the one that recruited him, in order to recruit others. This is a form of Ponzi scheme.

Another work-at-home scam involves kits for small doodads such as CD cases to be assembled by the victim in their home. The victim pays a fee for the kit, but after assembling and returning the item, the scammer rejects it as substandard, refusing to reimburse the victim for the cost of the kit. Variations on this scam include work on directories, stuffing envelopes, doing medical billing or data entry, reading books, and even translating documents from the victim's native tongue into English.

An elaborate variation on this theme lures the victim with an e-mailed job offer from a fake company. The scammer may have constructed an elaborate website for the company, to make the offer appear legitimate. The job offer includes an unrealistically generous salary for part-time, unskilled labor. The main responsibility of this well-paying job is to be a middleman for "donations", supposedly intended for victims of a natural disaster.

The scammer then asks the victim for their bank account numbers, allegedly to deposit donations into the victim's account so that the victim can redistribute them. As part of the "hiring process", the fraudster also asks for the victim's Social Security number and date of birth.

With this information, the criminal monitors the victim's account balances. When a larger-than-normal amount appears in the bank account, such as a paycheck, the scammer drains the account.

Generally, the faked company website will locate the company in a different country from the scammer; this may be noticeable by inspecting the domain registration for the website, which may indicate the scammer's true country of origin. In addition, victims in Western countries are targeted using a Western-sounding pseudonym like "Timothy Scott", while the domain name tgilberthome.org is actually registered to a "Li Xiang".

A recent work at home scam comes from exploiting unemployed people. A job is offered to work at home, with the fraudster claiming to represent a real corporation. He sets up an instant messenger interview usually over yahoo. There he tells the person that they are hired, and will receive high pay and full benefits. They must purchase bookkeeping software to work there, for around six hundred dollars. This money must be paid via western union. Of course the fraudster keeps the money, and there is no real job. Victims have called the company afterwards, but the fraudster never actually worked for or represented the company.

With dating fraud, often the con artist develops a relationship with their victim through an online dating site and convinces the victim to send money to the fraudster. The requests for money can be a one-time event, or repeated over an extended period of time.

Although online dating has its dangers, three major dating services, eHarmony; Match.com and Spark Networks, have all agreed to take steps to keep their members safe from common online dating dangers.[7] These steps include: checking registered members against the national sex offender data base, including ongoing tips and guides on how to meet that special someone in person in a safe way, ongoing tips and guides on how to safely interact with other members so as to avoid fraud and rapid abuse reporting systems so members can report abuse or suspected fraud as it happens, allowing the companies to take swifter action.

A new term in dating fraud is "catfish", referring to "a person who creates a false online identity in the hopes of luring people into romantic relationships."[8]

The scammer poses as a charitable organization soliciting donations to help the victims of a natural disaster, terrorist attack (such as the Sept. 11 World Trade Centerattack), regional conflict, or epidemic. Hurricane Katrina and the 2004 tsunami were popular targets of scammers perpetrating charity scams; other more timeless scam charities purport to be raising money for cancer, AIDS or Ebola virus research, children's orphanages (the scammer pretends to work for the orphanage or a non-profit associated with it), or impersonates charities such as the Red Cross or United Way. The scammer asks for donations, often linking to online news articles to strengthen their story of a funds drive. The scammer's victims are charitable people who believe they are helping a worthy cause and expect nothing in return. Once sent, the money is gone and the scammer often disappears, though many attempt to keep the scam going by asking for a series of payments. The victim may sometimes find themselves in legal trouble after deducting their supposed donations from their income taxes. United States tax law states that charitable donations are only deductible if made to a qualified non-profit organization.[9] The scammer may tell the victim their donation is deductible and provide all necessary proof of donation, but the information provided by the scammer is fictional, and if audited, the victim faces stiff penalties as a result of the fraud. Though these scams have some of the highest success rates especially following a major disaster, and are employed by scammers all over the world, the average loss per victim is less than other fraud schemes. This is because, unlike scams involving a large expected payoff, the victim is far less likely to borrow money to donate or donate more than they can spare.[10]

In a related variant, the scammer poses as a terminally ill mother, poor university student, or other down-on-their-luck person and simply begs the victim for money for college tuition, to sponsor their children, or a similar ruse. The money, they say, will be repaid plus interest by some third party at a later date (often these third parties are some fictitious agency of the Nigerian government, or the scammer themselves once a payment from someone else is made available to them). Once the victim starts paying money to the scammer, the scammer tells the victim that additional money is needed for unforeseen expenses, similar to most other variants; in the case of the ill mother, the children will fall ill as well and require money for a doctor's care and medicine (many scammers go as far as to say that as the sponsor of the children, the victim is legally liable for such costs), where the student might claim that a dormitory fire destroyed everything they own.[citation needed]

Customers of dial-up Internet service providers, such as AOL, use a modem to dial a local telephone number in order to connect to the Internet. Some web sites, typically containing adult content, trick consumers into paying to view content on their web site by convincing them to unwittingly make international telephone calls with their modem.

Often these sites claim to be free, and advertise that no credit card is needed to view the site. They prompt the user to download a "viewer" or "dialer" program to allow them to view the content. Once the program is downloaded, it disconnects the computer from the victim's usual Internet service provider and dials an international long-distance or premium-rate number, charging unexpectedly high rates to the victim's long-distance phone bill.

While one can usually request that their phone company block their line from making international calls in order to prevent this scam, there are loopholes that the scammers can exploit. In the United States and Canada, phone numbers are assigned Country Code "1" and a three-digit "area code" under the North American Numbering Plan (NANP). However, Bermuda and 16 Caribbean countries are also part of the NANP, so a phone number that has the same appearance as a domestic number may actually be an overseas call. The particular numbers belong to telephone companies that participate in the fraud by charging extremely high rates that are kicked back to the scammer. Scammers can also use a "Carrier Access Code" to override the user's default choice of long-distance company; this works around the international-calling block that the customer placed with that company.

Internet marketing and retail fraud is a fast-growing[11] area perpetrated by dishonest internet marketing and retail sites involving a variety of products and services. The victim is tricked, by a legitimate-looking site and effective marketing, into giving their credit card information and [card security code] (or sending funds by other means) in exchange for what they believe to be goods or services. The goods never arrive, turn out to be fake, or are products worth less than those advertised.

Where a credit card is involved, the perpetrators may also use the customer's credit card information to obtain cash or to make purchases of their own. A common example of this type of fraud would be pornographic websites that advertise free access, but require a credit card "for age verification purposes only". The scammers use the credit card information to make fraudulent charges.

Internet marketing and retail fraud involving health products may sell fake or worthless goods. These products might advertise a quick way to lose weight, a cure for a serious disease, or make other sensational claims.

claims to be a "scientific breakthrough", featuring fake doctors or scientists making claims for the product; may include technical jargon that experts in the field will recognize as being used inappropriately

features a long list of "personal testimonials", without sufficient information to verify them

Consumers find that once these types of scammers obtain their credit card information, fraudulent charge attempts will be made even after the card is cancelled. Credit and consumer protection laws in many countries hold the credit card company liable to refund their customers' money for goods or services purchased with the card that are not delivered. The credit card company then has to absorb the loss, but these costs are ultimately passed on to consumers in the form of higher interest rates and fees.

A variation of Internet marketing fraud offers tickets to sought-after events such as concerts, shows, and sports events. The tickets are fake, or are never delivered. The proliferation of online ticket agencies, and the existence of experienced and dishonest ticket resellers, has fueled this kind of fraud. Many such scams are run by British ticket touts, though they may base their operations in other countries.[12]

A prime example was the global 2008 Beijing Olympic Games ticket fraud run by US-registered Xclusive Leisure and Hospitality, sold through a professionally designed website, www.beijingticketing.com, with the name "Beijing 2008 Ticketing".[13] On 4 August it was reported that more than A$50 million worth of fake tickets had been sold through the website.[14] On 6 August it was reported that the person behind the scam, which was wholly based outside China, was a British ticket tout, Terance Shepherd.[15]

Search engine optimization, or SEO, fraud involves a supposed Internet marketing specialist presenting a prospective client with detailed graphs and charts indicating that the client's web site receives some number of "hits" per month. The specialist claims his services will increase web traffic, thus increasing the site's sales revenue. After payment, the scammer does not provide the proposed services.

Click fraud occurs when websites that are affiliates of advertising networks that pay per view or per click use spyware to force views or clicks to ads on their own websites. The affiliate is then paid a commission on the cost-per-click that was artificially generated. Affiliate programs such as Google's AdSense pay high commissions that drive the generation of bogus clicks. With paid clicks costing as much as US$100[verification needed] and an online advertising industry worth more than US$10 billion, this form of Internet fraud is on the increase.[citation needed][16]

Phishing is the act of masquerading as a trustworthy person or business to fraudulently acquire sensitive information, such as passwords and credit card details, that a victim might think reasonable to share with such an entity. Phishing usually involves seemingly official electronic notifications or messages, such as e-mails or instant messages. It is a form of social engineering.

The term phishing was coined in the mid-1990s by black-hat computer hackers attempting to gain access to AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password to "verify your account" or to "confirm billing information". Once the victim gave their password, the attacker could access the victim's account and use it for criminal purposes, such as spamming.

Fraudsters have widely used e-mail spam messages posing as large banks like Citibank, Bank of America, or PayPal in phishing attacks. These fraudsters copy the code and graphics from legitimate websites and use them on their own sites to create legitimate-looking scam web pages. These pages are so well done that most people cannot tell that they have navigated to a scam site.

Phishers will also add what appears to be a link to a legitimate site in an e-mail, but use specially crafted HTML source code that actually links to the scammer's fake site. Such links can be often revealed by using the "view source" feature in the e-mail application to look at the destination of the link, or by putting the mouse pointer over the link and looking at the URL then displayed in the status bar of the web browser.

The small percentage of people that fall for such phishing scams, multiplied by the sheer numbers of spam messages sent, presents the fraudster with a substantial incentive to keep doing it.

Sender data shown in emails can be "spoofed", displaying a fake return address on outgoing email to hide the true origin of the message, therefore protecting it from being traced. The Sender Policy Framework protocol helps to combat email spoofing.[17]

By constructing a fake web site that looks like a legitimate site that might ask for the user's personal information, such as a copy of a bank's website, the fraudster can "phish", or steal by means of false pretenses, a victim's passwords, PIN or bank account number. The combination of domain hijacking with a phishing website constitutes farming.

Although many such sites use the Secure Sockets Layer (SSL) protocol to identify themselves cryptographically and prevent such fraud, SSL offers no protection if users ignore their web browsers' warnings about invalid SSL servercertificates. Such warnings occur when a user connects to a server whose SSL certificate does not match the address of the server.

Online stock market manipulation schemes, or investment schemes involve attempts to manipulate securities prices on the market for the personal profit of the scammer. According to the United States Securities and Exchange Commission, the two main methods used by these criminals are "Pump-and-dump" and "Short-selling", or "scalping".

In a pump-and-dump scheme, false or fraudulent information designed to cause a dramatic price increase in thinly traded stocks or stocks of shell companies is disseminated in chat rooms, forums, internet boards, or via email (typically as spam). This is called the "pump". As soon as the price reaches the desired level, criminals immediately sell off their holdings of those stocks (the "dump"), which were previously purchased at the "un-pumped" price, thus realizing substantial profits before the stock price falls back to its usual low level.

Any buyers of the stock who are unaware of the scheme become victims once the price falls. When they realize the fraud, it is too late to sell; they have lost a high percentage of their money. Even if the stock value does increase, the stocks may be difficult to sell if there are no interested buyers, leaving the victim holding the unsalable shares for far longer than they desire.

A short-selling scheme is similar to the "pump-and-dump" scheme. The swindler disseminates false or fraudulent information through the same methods, but this time with the purpose of causing dramatic price decreases in a specific company's stock. Once the stock price falls to the desired level, the fraudster buys the stock (or options on the stock), and then reverses the false information—or just waits for the effects of the fraudulent information to wear off with time, or be disproved by the company or the media. Once the stock goes back to its normal level, the criminal sells the stock or option at a profit.[18]